2018-10-14 16:49:38 +00:00
|
|
|
#! /sbin/nft -f
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
table inet firewall {
|
|
|
|
|
|
2019-03-30 13:36:03 +00:00
|
|
|
set dns {
|
|
|
|
|
type ipv4_addr
|
|
|
|
|
flags interval
|
|
|
|
|
elements = { 193.48.225.248 }
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
set www {
|
|
|
|
|
type ipv4_addr
|
|
|
|
|
flags interval
|
|
|
|
|
elements = { 193.48.225.241, 193.48.225.242, 193.48.225.243, 193.48.225.247 }
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
set irc {
|
|
|
|
|
type ipv4_addr
|
|
|
|
|
flags interval
|
|
|
|
|
elements = {193.48.225.244}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
set znc {
|
|
|
|
|
type ipv4_addr
|
|
|
|
|
flags interval
|
|
|
|
|
elements = { 193.48.225.242 }
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
set smtp {
|
|
|
|
|
type ipv4_addr
|
|
|
|
|
flags interval
|
|
|
|
|
elements = { 193.48.225.249, 193.48.225.245 }
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
set letsencrypt {
|
|
|
|
|
type ipv4_addr
|
|
|
|
|
flags interval
|
|
|
|
|
elements = {193.48.225.246, 193.48.225.248, 193.48.225.249}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
set federez {
|
|
|
|
|
type ipv4_addr
|
|
|
|
|
flags interval
|
|
|
|
|
elements = {193.48.225.201}
|
|
|
|
|
}
|
2018-10-14 16:49:38 +00:00
|
|
|
|
2019-03-30 13:36:03 +00:00
|
|
|
set gitlab {
|
2019-02-09 09:23:05 +00:00
|
|
|
type ipv4_addr
|
2018-10-14 16:49:38 +00:00
|
|
|
flags interval
|
2019-03-30 13:36:03 +00:00
|
|
|
elements = { 193.48.225.243 }
|
2018-10-14 16:49:38 +00:00
|
|
|
}
|
|
|
|
|
|
2019-03-30 13:36:03 +00:00
|
|
|
set video {
|
|
|
|
|
type ipv4_addr
|
|
|
|
|
flags interval
|
|
|
|
|
elements = { 193.48.225.240 }
|
2019-01-09 23:04:58 +00:00
|
|
|
}
|
2019-03-30 13:36:03 +00:00
|
|
|
|
|
|
|
|
set ldap {
|
|
|
|
|
type ipv4_addr
|
|
|
|
|
flags interval
|
2019-04-29 22:12:26 +00:00
|
|
|
elements = { 193.48.225.240, 193.48.225.248 }
|
2019-01-09 23:04:58 +00:00
|
|
|
}
|
2019-03-30 13:36:03 +00:00
|
|
|
|
|
|
|
|
set ldap_clients {
|
|
|
|
|
type ipv4_addr
|
|
|
|
|
flags interval
|
2019-04-29 22:12:26 +00:00
|
|
|
elements = { 10.7.0.0/24, 10.69.0.0/20, 185.230.78.37, 51.15.178.125, 193.48.225.0/24 }
|
2019-01-09 23:04:58 +00:00
|
|
|
}
|
2019-03-30 13:36:03 +00:00
|
|
|
|
|
|
|
|
set mysql {
|
|
|
|
|
type ipv4_addr
|
|
|
|
|
flags interval
|
|
|
|
|
elements = {10.7.0.243}
|
2019-01-09 23:04:58 +00:00
|
|
|
}
|
|
|
|
|
|
2018-10-14 16:49:38 +00:00
|
|
|
chain to_dmz {
|
2019-04-29 22:12:26 +00:00
|
|
|
ip saddr 10.7.0.0/16 accept
|
|
|
|
|
|
2019-03-30 13:36:03 +00:00
|
|
|
ip daddr @smtp tcp dport { 22, 25, 80 } accept
|
|
|
|
|
ip daddr @dns tcp dport { 22, 53 } accept
|
|
|
|
|
ip daddr @dns udp dport { 53 } accept
|
|
|
|
|
ip daddr @www tcp dport { 21, 22, 80, 443 } accept
|
|
|
|
|
ip daddr @federez tcp dport { 22, 53, 80, 443, 389 } accept
|
|
|
|
|
ip daddr @federez udp dport { 53, 636 } accept
|
|
|
|
|
ip daddr @znc tcp dport { 6667 } accept
|
|
|
|
|
ip daddr @letsencrypt tcp dport { 80, 443 } accept
|
|
|
|
|
ip daddr @irc tcp dport { 22, 6667, 6697, 6767, 7000, 9090 } accept
|
|
|
|
|
ip daddr @video tcp dport { 37700, 6754 } accept
|
|
|
|
|
ip daddr @video udp dport { 37800 } accept
|
|
|
|
|
ip daddr @video tcp dport { 5678 } accept
|
|
|
|
|
|
2019-04-29 22:12:26 +00:00
|
|
|
ip saddr @ldap_clients ip daddr @ldap tcp dport { 389, 636 } accept
|
|
|
|
|
ip saddr @ldap_clients ip daddr @ldap udp dport { 636 } accept
|
2019-03-30 13:36:03 +00:00
|
|
|
|
|
|
|
|
drop
|
2018-10-14 16:49:38 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
chain from_dmz {
|
2019-04-29 22:12:26 +00:00
|
|
|
ip daddr 10.0.0.0/8 accept
|
2019-03-30 13:36:03 +00:00
|
|
|
ip daddr @mysql ip saddr != @www tcp dport 3306 drop
|
|
|
|
|
ip daddr @mysql ip saddr != @smtp tcp dport 3306 drop
|
2018-10-14 16:49:38 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
